View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000628 | bareos-core | director | public | 2016-02-29 10:55 | 2016-09-16 11:57 |
| Reporter | otto | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Platform | Linux | OS | Debian | OS Version | 8 |
| Product Version | 15.2.2 | ||||
| Fixed in Version | 16.2.4 | ||||
| Summary | 0000628: output of list command not restricted for own jobs/clients on restricted consoles with ACLs | ||||
| Description | We use restricted consoles for selfservice. A user can restore his own backups. The list command is necessary to get infos about the backups. Console { Name = user1 Password = "xxx" Profile = user-restore JobACL = "userpc1-bj", "userpc2-bj" ClientACL = "userpc1.example.com", "userpc2.example.com" } Profile { Name = user-restore JobACL = "dummy-fd", "RestoreDummy" ClientACL = "dummy-fd" StorageACL = "LTO-X", "VTL_VIB" ScheduleACL = none PoolACL = "3W", "3M", "VIBP", "VFBP" FileSetACL = *all* CatalogACL = "MyCatalog" CommandACL = exit, status, restore, list, help, .client, .jobs, estimate } Now the user can get all unfiltered infos with the list command (unlike the other commands). *list jobs *list pools *list clients *list ... Also the logs and files ... *list files jobid=... *list joblog jobid=... | ||||
| Steps To Reproduce | Configure ACL with list command and only some jobs and clients ... | ||||
| Tags | No tags attached. | ||||
| has duplicate | 0000656 | closed | Not possible to limit permissions properly |
 |
As the web-ui also uses the estricted consoles, the issue affects the whole web-view. So every user can see every pool, host and so on. |
|
|
This seems a huge problem for us atm. Please see the duplicate of this issue. Anyone else interested ? :| |
|
|
You are probably better off asking it on the mailinglist. This is a bug tracker. |
|
|
There is now a page about funding development at https://www.bareos.com/en/co-funding.html This item is the first item on there. |
|
|
Fix committed to bareos master branch with changesetid 6593. |
|
bareos: master 08bb7f15 2016-09-01 19:40 Ported: N/A Details Diff |
bcommand: Filter resources on list/llist. This patch expands the OUTPUT_FORMATTER with a filtering framework. On instantiate of the class you specify a callback function which does the filtering e.g. returns true or false to indicate that the item should or should not be printed. The following new methods are added to the OUTPUT_FORMATTER: - add_limit_filter_tuple(limit) Sets a new filtering tuple that limits the number of output lines. - add_acl_filter_tuple(column, acltype) Sets a new filtering tuple where column is the column number in the SQL ROW returned and acltype being the ACL type to check against using acl_access_ok(). - add_res_filter_tuple(column, restype) Sets a new filtering tuple where column is the column number in the SQL ROW returned and restype being the resource type to check against using GetResWithName(). - add_enabled_filter_tuple(column, restype) Sets a new filtering tuple where column is the column number in the SQL ROW returned and restype being the resource type to retrieve and check the enabled flag of that resource. - add_disabled_filter_tuple(column, restype) Sets a new filtering tuple where column is the column number in the SQL ROW returned and restype being the resource type to retrieve and check the enabled flag of that resource. - clear_filters() Remove all filters currently set e.g. all tuples are removed. - has_filters() Returns if there are any filters defined. This allows you to shurtcut in the processing loop if no filtering needs to be done. Then there is no need to have the full overhead of calling the filter_data() methods that then finds out there is nothing to do. - has_acl_filters() Returns if there are any ACL filters defined. - filter_data(data) This function invokes the callback filter function with the data pointer you provide. - add_hidden_column(column) Sets the given column to the hidden status and as such it will not be printed in the output. This allows you to add a column that is used for filtering but is not printed and thus invisible for the end-user. - clear_hidden_columns() Remove all hidden columns currently set. - is_hidden_column(column) Returns if the given column is hidden or not. On instantiate of the OUTPUT_FORMATTER we set the so called context to the current UA (UserAgent) for the filter function so that is also passed to the filter callback function. This is analog to the send() method which already existed. As acl_access_ok() needs the UA we need to have it accessable in the filtering function. When you specify current in the cmdline of a list or llist it will now set the needed resource filters which will check if the resource is still in the active config before displaying it. When you specify enabled in the cmdline of a list or llist it will now set the needed resource filters which will check if the resource is enabled or not. When you specify disabled in the cmdline of a list or llist it will now set the needed resource filters which will check if the resource is disabled or not. We now always call get_jobid_from_cmdline() to get the jobid. This way we can check in get_jobid_from_cmdline() if the jobid given is allowed under the current ACL settings for the UA. For this we lookup the job data and the client data and check against the JobAcl and ClientAcl. As part of refactoring this code we created some new and moved some functions to be methods in the UAContext. From now on there is a GetResByName() method that should be used to get the pointer to a resource instead of calling the GetResByName() function directly in src/lib/res.c as this version checks directly if the named console has access to the wanted resource so we no longer have to code a call to acl_access_ok(). All the macros for GetXXXResByName now are also methods of the UAContext and use the new method. We also removed quite some redundant LockRes() and UnlockRes() calls as at the lowest level when calling a GetXXXResByName() a GetResByName() is called and that already does the right locking and unlocking. One of the nicer advantages of the new approach to check for acl_acces_ok() in the resource lookup is that the end-user gets back resource unknown instead of access denied to resource (an audit event is logged however). This is also how things work in most password authentication lookups in most UNIXes these days as such you don't leak information about existing but not reachable resources. From now on messages will only be shown using the messages and .messages functions to consoles with a non restrictive Command ACL setting. This way no information can leak to any named console which doesn't have any access to certain commands. Those named consoles can still do a list log and see the data they are supposed to see under the restrictions of the ACL that apply to those consoles. Fixes 0000628: output of list command not restricted for own jobs/clients on restricted consoles with ACLs |
Affected Issues 0000628 |
|
| mod - src/cats/protos.h | Diff File | ||
| mod - src/cats/sql.c | Diff File | ||
| mod - src/cats/sql_list.c | Diff File | ||
| mod - src/dird/dird_conf.c | Diff File | ||
| mod - src/dird/dird_conf.h | Diff File | ||
| mod - src/dird/fd_cmds.c | Diff File | ||
| mod - src/dird/migrate.c | Diff File | ||
| mod - src/dird/protos.h | Diff File | ||
| mod - src/dird/ua.h | Diff File | ||
| mod - src/dird/ua_acl.c | Diff File | ||
| mod - src/dird/ua_audit.c | Diff File | ||
| mod - src/dird/ua_cmds.c | Diff File | ||
| mod - src/dird/ua_configure.c | Diff File | ||
| mod - src/dird/ua_db.c | Diff File | ||
| mod - src/dird/ua_dotcmds.c | Diff File | ||
| mod - src/dird/ua_label.c | Diff File | ||
| mod - src/dird/ua_output.c | Diff File | ||
| mod - src/dird/ua_prune.c | Diff File | ||
| mod - src/dird/ua_restore.c | Diff File | ||
| mod - src/dird/ua_run.c | Diff File | ||
| mod - src/dird/ua_select.c | Diff File | ||
| mod - src/dird/ua_server.c | Diff File | ||
| mod - src/dird/ua_status.c | Diff File | ||
| mod - src/dird/ua_update.c | Diff File | ||
| mod - src/lib/output_formatter.c | Diff File | ||
| mod - src/lib/output_formatter.h | Diff File | ||
| mod - src/lib/parse_conf.h | Diff File | ||
| mod - src/lib/res.c | Diff File | ||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2016-02-29 10:55 | otto | New Issue | |
| 2016-02-29 15:08 | maik | Status | new => acknowledged |
| 2016-04-07 16:03 | robhost | Note Added: 0002229 | |
| 2016-05-09 18:52 | mvwieringen | Relationship added | has duplicate 0000656 |
| 2016-05-10 10:59 | hostedpower | Note Added: 0002267 | |
| 2016-05-10 17:00 | mvwieringen | Note Added: 0002272 | |
| 2016-05-27 15:49 | mvwieringen | Note Added: 0002278 | |
| 2016-09-02 18:14 | mvwieringen | Changeset attached | => bareos master 08bb7f15 |
| 2016-09-02 18:14 | mvwieringen | Note Added: 0002341 | |
| 2016-09-02 18:14 | mvwieringen | Status | acknowledged => resolved |
| 2016-09-02 18:14 | mvwieringen | Resolution | open => fixed |
| 2016-09-16 11:56 | joergs | Fixed in Version | => 16.2.4 |
| 2016-09-16 11:56 | joergs | Steps to Reproduce Updated | |
| 2016-09-16 11:57 | joergs | Status | resolved => closed |
| 2016-09-16 11:57 | joergs | Assigned To | => joergs |
| 2016-09-16 11:57 | joergs | Assigned To | joergs => |
